UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Exchange application permissions are not at vendor recommended settings.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18802 EMG3-824 Exch2K3 SV-20526r1_rule ECLP-1 Medium
Description
Default product installations may provide more generous permissions than are necessary to run the application. By examining and tailoring permissions to more closely provide the least amount of privilege possible, attack vectors that align with user permissions are less likely to access more highly secured areas. Vendor-supplied policies are available to assist in further hardening the permissions set for Exchange. Application file permissions on Exchange 2003 servers can be set by importing the group policy for Exchange Back-End or Front-End servers. To the extent of file permissions, both policies set the same directory permissions as shown here.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22512r1_chk )
The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically).

File ACL settings configured by Exchange_2003-Backend_V1_1.inf

The following permissions:
• System – Full Control
• Builtin Administrators – Full Control

Apply to these directories:
%systemdrive%\Inetpub\mailroot\
%systemdrive%\Inetpub\NNTPfile\

The following permissions:
• Everyone – Full Control

Applies to this directory:
%systemdrive%\Inetpub\NNTPfile\root


The following permissions:
• System – Full Control
• Builtin Administrators – Full Control
• Server Operators – Modify, Read/Execute, List, Read, Write
• Creator Owner – Full Control (subdirectories only)

Apply to these directories:
%systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories.

The following permissions:
• System – Full Control
• Builtin Administrators – Full Control
• Server Operators – Modify, Read/Execute, List, Read, Write
• Users – Read/Execute, List, Read
• Creator Owner – Full Control (subdirectories only)

Apply to these directories:
%systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories

Criteria: If files have vendor recommended permissions, this is not a finding.
Fix Text (F-19462r1_fix)
Procedure:
The following table lists the recommended baseline settings you should start with when hardening the services for an Exchange Back-end server (the Exchange_2003-Backend_V1_1.inf file and the Exchange_2003-Frontend_V1_1.inf file configure these settings automatically).

File ACL settings configured by Exchange_2003-Backend_V1_1.inf

The following permissions:
• System – Full Control
• Builtin Administrators – Full Control

Apply to these directories:
%systemdrive%\Inetpub\mailroot\
%systemdrive%\Inetpub\NNTPfile\

The following permissions:
• Everyone – Full Control

Applies to this directory:
%systemdrive%\Inetpub\NNTPfile\root


The following permissions:
• System – Full Control
• Builtin Administrators – Full Control
• Server Operators – Modify, Read/Execute, List, Read, Write
• Creator Owner – Full Control (subdirectories only)

Apply to these directories:
%systemdrive%\program files\exchsrvr and subs, but not ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories.

The following permissions:
• System – Full Control
• Builtin Administrators – Full Control
• Server Operators – Modify, Read/Execute, List, Read, Write
• Users – Read/Execute, List, Read
• Creator Owner – Full Control (subdirectories only)

Apply to these directories:
%systemdrive%\program files\exchsrvr (subs) >> ADDRESS, OMA, BIN, EXCHWEB, and RES subdirectories